Adobe, Mozilla bring sandboxed Flash plug-in to Firefox

This site may earn affiliate commissions from the links on this page. Terms of use.

The gap between web browser functionality and feature sets isn’t as wide as it once was. But while performance has levelled out somewhat, there are other ways in which the key players differentiate themselves. For Chrome, its sandboxing system provides a layer of security that other browsers haven’t yet been able to match. Soon, however, Firefox users will get a taste, too.

Mozilla and Adobe have collaborated on a sandboxed version of the Flash plug-in that is already available as a beta download. It’s similar to the sandboxing feature that Adobe delivered in Adobe Reader X just over a year ago. In the time since Reader X’s release, there has yet to be a single successful exploit reported of the PDF viewer — which was once the security community’s whipping boy.

Like Reader X, the sandboxed Flash plug-in is heavily restricted in terms of how it can transmit and receive data from the browser. That should lead to substantially fewer successful drive-by attacks that utilize Flash exploits — and it will also provide Adobe with a safety cushion when new security flaws are reported.

With the Flash plug-in sandboxed, the bad guys will have to not only find a zero-day exploit, they’ll also need to figure out how to escape the sandbox. As we’ve seen over and over at Pwn2Own, that’s not the easiest thing in the world to do: Chrome is often completely ignored by the security conference’s participants because of that additional hurdle.

As is the case with a lot of good news, there’s some not-so-good news here. The Flash plug-in will only be sandboxed on Firefox 4.0 or newer, and only on Windows 7 and Windows Vista machines. That means no sandboxing for users of any non-Chrome browser on OS X or Linux, and no support for Windows XP — still the world’s most-used operating system.